“The threat group’s motivations are currently unknown, but we suspect that the group is financially motivated based on the seemingly industry-agnostic leading to ransomware activity.”
Researchers said, the DLL sample did not execute the VBScript when run by itself. However, when run with Mshta.exe – a Windows-native utility designed to execute Microsoft HTML Application (HTA) files – the Mshta.exe utility would locate and execute the VBScript without any issues. This evasion technique was used several times throughout the attack chain to change the host settings and to launch payloads, according to researchers.
“This issue most closely resembles CVE-2020-1599, PE Authenticode signature remains valid after appending HTA supported scripts signed by any software developer,” said researchers. “These PE+HTA polyglot (.hta files) can be exploited through Mshta.exe to bypass security solutions that rely on Microsoft Windows code signing to decide if files are trusted. This issue was patched as CVE-2020-1599.”
Attackers also leveraged the legitimate Gpg4win utility, which allows users to securely transports emails, the NSUDO system management tool, remote monitoring management software tool Atera and remote access and support software SplashTop, in order to support activities like remote access, privilege escalation, launching of payloads, encryption and persistence. Of note, in some cases the attacker deployed the Atera tool directly in the initial compromise, as opposed to using the Batloader malware.
Finally, attackers downloaded malware like Beacon and Ursnif in order to provide backdoor and credential-stealing abilities.
Some of the activity in the campaign overlaps with techniques in several playbooks that were disclosed in August by a disgruntled Conti ransomware affiliate, which exposed training documents, playbooks, and tools used in Conti ransomware operations.
Conti, one of the many ransomware-as-a-service (RaaS) operations that have popped up in recent years, has several affiliates that have targeted an array of organizations, from healthcare providers to 911 systems. The FBI, CISA. and NSA in a joint September release warned of the group’s threat to enterprises.
“At this time, due to the public release of this information, other unaffiliated actors may be replicating the techniques for their own motives and objectives,” researchers said. “The threat group’s motivations are currently unknown, but we suspect that the group is financially motivated based on the seemingly industry-agnostic leading to ransomware activity.”